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15 

Field of the Invention 



This invention relates to digital signatures in computer documents, and more 
particularly to time stamping digital signatures so that the latest time will be 
20 unambiguously known. 



Background 

Time stamping is a set of techniques enabling the ascertaining of when an 
25 electronic document was created or signed. The real importance of time-stamping 
comes about with the legal use of long lifetime documents. A problem with time 
stamping signed documents comes about when, for example, the signer repudiates 
the document and the cryptographic primitives become unreliable. The security of 
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the signature becomes questionable. For example, a signer might claim she had lost 
her signature key, repudiate the signing, and bring the authenticity of a signature into 
question in order to escape responsibility for a document. 

5 Recently, especially in the local regulation of digital signatures, 

organizational and legal questions about reliability in time stamping signatures have 
been gaining world wide attention. In the prior art, in addition to defining the 
responsibilities of the owner of the signature, the duties and responsibilities of the 
Time Stamping Service (TSS) employed must be stated. It is becoming increasingly 
10 important that trust of the TSS not be an issue; or that questions relating to the need 
to trust the TSS be minimized. In order to make users liable only for their own 
actions, the offender in a situation involving a digital signature infraction must be 
positively identifiable, even if the offender is the TSS. 

Digital signatures, since they are administered by systems that inherently do 
15 not have any relation to physical time (real time) in their operation, do not have real 

time acknowledgments. For this reason, the association of an electronic document 
directly to a unique moment in time is difficult, and may be impossible. The best we 
can do with time stamping is Relative Temporal Authentication (RTA), that is, we 
can associate a document with some relative time that we trust. 

20 This method, which is often used, is based on a complexity-theoretic 

assumption of the existence of collision^resistant one-way hash functions. RTA 
gives the verifier with two time stamped documents the ability to verify which of the 
two was created first. 



25 



The following examples of existing time stamping systems will illustrate the 
problems: 1 
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1) An example of an existing time stamping technique is a simple time 
stamping protocol. The TSS appends the current time t to the current document X, 
the composite document is signed, and two values, t and s=sig TSS (t,X) are returned to 
the client. A weakness of this approach is the unreliability of documents with old 
5 time stamps after a signature key leakage, which may make it impossible to verify 
the time t on the document. This implies that for a reasonable solution the TSS must 
be unconditionally trusted. It is therefore widely accepted that a secure time 
stamping system cannot rely solely on the keys or on any other secret information of 
that sort. 

10 2) One example of an embodiment of a digital signature certification 

system of the type discussed above is shown in [BHS92,HS97] and Patent No. 
5,136,646 by Haber and Stornetta. Signatures with time certificates attached are 
linked together in a one-way function, such that the verifier is able to follow a step 
by step chain of intermediate time stamps, and is able to ascertain at each step which 

1 5 was created earlier. In this way a type of time tree is grown, with the credibility of 
the signature verified by trusted documents preceding and following in time. 

The time certificate for the n-th submitted document is: 
c= ^Tss( n »tn^n>Xin^n)» where t n is the current time, ID n is the identifier of the 
submitter, and L n is the n-th catenate certificate defined by the recursive formula: 
20 Ln^tn.tJDn.pX^pHCLn-i))* H is a collision-resistant one-way hash 

function. 

There are several complications with the implementation of the above 
system. The number of steps needed to verify the one-way relationship between two 
time stamps is linear with respect to the number of time stamps between them, so a 
25 single verification may be as costly as creating an entire chain. 
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It was pointed out in the publication of the Benolah-de Mare proposal 
[BdM91] that this solution has impossible trust and broadcast requirements. A 
modification was proposed [HS91] wherein, every time stamp is linked with k>l 
time stamps directly preceding. This variation decreases the requirements for 
5 broadcasting but increases the space required for storing individual time stamps. 

3) Tree linking systems as disclosed [in BdM91, BHS92, HS97] US 
Patent Number Re. 34,954 reduce verification cost in a significant way. 

[BHS92] illustrated in Fig. A]. The time-stamping procedure is divided into 
rounds. The time-stamp R, for round r is a cumulative hash of the time stamp R T _ 1 for 

10 round r-1 and of all the documents submitted to the TSS during the round r. After 
the end of the r-th round a binary tree T r is built. Every participant P i who wants to 
time-stamp at least one document in this round, submits to the TSS a hash y ui which 
is a hash of all the documents he wants to time-stamp in this round. The leaves of T r 
are labeled by the submitted data items y v Each inner node k of T r is recursively 

15 labeled by numerical values H k i^HQl^ Hj^J, where k L and k R are correspondingly 
the left and the right child nodes of k, and H is a collision-resistant hash function. 
The TSS has to store only the time-stamps R,. for rounds (Fig. 1). All the remaining 
information, required to verify whether a certain document was time-stamped during 
a fixed round is included into the time certificates. 

20 A time certificate of a document comprises the information required to verify 

whether a certain document was time stamped during a fixed round, i. e., for 
restoring the label of the predecessor node needed to know the labels of the sibling 
nodes. For example, the time certificates for y 3 in Figure 1 is (r;(y 4 ,L),(H 4J R)). The 
verifying procedure of the time stamp of y 3 consists of verifying the equality: 



25 



R r =H(H(H 4 ,H(y 3 ,y 4 )),R T . 1 ). 
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The size of the time certificate and thereby also the number of computational 
steps during the verification is logarithmic on the number of documents submitted. 
The values of R, are stored into a database and some of them are published in a 
newspaper. 

5 The schemes are feasible but provide the RTA for the documents issued 

during the same round only if we unconditionally trust the TSS to maintain the order 
of time-stamps in T r . Therefore, this method either increases the need for trust or 
otherwise limits the maximum temporal duration of rounds to the insignificant units 
of time (one second in Digital Notary system). However, if the number of submitted 
10 documents during a round is too small, the expenses of time-stamping a single 
document may become unreasonably large. 

Summary of the Invention 

The present invention comprises a method of time-stamping a digital 
document using a binary linking scheme where the value of the catenate certificate 
15 L n is generated by applying a one-way hash function H to a catenation comprising 
the value of the catenate certificate L n _j and the value of another suitably chosen 
catenate certificate L /(n)> with/being a fixed deterministic function algorithm, i.e. 

With choosing the function / appropriately it is possible to verify a one-way 
20 relationship between two time-certificates with a number of computational steps 

proportional to the logarithm of the number of time-stamped documents. A function 
/is presented that guarantees logarithmic verification^ 
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A binary linking scheme is presented where the linking function /is chosen 
in such a way that it satisfies the anti-monotonic property, i.e. XhzXf(m)<n<m 
implies f(n)^f(m). Said property is sufficient for the existence of a series 
n(l),...,n(k),... of indices such that, for each k 9 the time-certificate L n(k) is generated 
5 only using the values of L Jy where n(k-l)<i<n(k)> and ofL n(/) with j<k Thus, the 
intervals between the issuance of different L n(k) can be thought about as the rounds. 
The anti-monotonic property says that the time-stamp for a round is not linked 
directly to the inner time-stamps of other rounds. 

A method is also presented of certifying the moment of signing, not only the 

1 0 moment of submitting. Before signing a document X a principal P generates nonce 
TV and time-stamps it. By a nonce is meant sufficiently long random bit-string, such 
that the probability it has been already time-stamped is negligible. Principle P then 
includes the time-stamp L(N) of AT to the document, signs it and obtains the time- 
stamp L(S) of the signature S=D p (L(N),X). For the verification of the document X, 

15 the verifier has to compare both these time-stamps with the time-stamps trusted by 
the verifier (which may be nonces generated by the verifier herself). As there are 
one-way dependencies between L(N), S and L(S) the verifier may conclude that the 
signature was created in the time-frame between the moments of issuance of L(N) 
and of L(S) respectively. If these moments are close enough, the signing time can be 

20 ascertained with necessary precision. In this solution there are no supplementary 
duties to the TSS or to the other principals. 

A time-stamping procedure is also defined, as follows: (1) the client sends to 
the TSS the data item A" to be time-stamped; (2) the TSS answers immediately by 
sending then current L n and the necessary data for verifying the one-way dependency 

25 between L n and the time-stamp for the previous round. The TSS signs L n and sends 
the signature D^/n, LJ to the client; (3) if the round is over, the client may apply 
the TSS for the data necessary to verify a one-way relationship between L n and the 
time-stamp for round. Therefore, the TSS is not able to rearrange the time-stamps 
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during a round. This means the present scheme reduces the need for trusting the 
TSS in maintaining the temporal order of time-stamped documents. 

Brief Description of the Drawings 

5 Fig. 1 is flow chart of a tree linking system for the certification of Digital 

Signatures. 

Fig. 2 is flow chart of a binary linking system (BLS) for the certification of 
Digital Signatures. 

Fig. 3 is flow chart of a BLS with the shortest verification links between 
1 0 digital signatures . 

Fig. 4 is a flow chart of an Accumulated Linking System (ALS) which may 
be used in the invention. 

Fig. 5 is flow chart of a Time Stamp system of the invention. 

Table I is a definition of a recursive linking system for digital signature 
15 verification. 

Table II shows how recursive linking may be programmed on a computer. 

Table III is a proof that a further reduction in the complexity of linking 
digital signatures is not feasible beyond the invention. 

Table IV-A and IV-B comprise proofs of the sufficiency of the invention for 
20 verification of digital signatures as disclosed. 
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Description of the Preferred Embodiment 

In the following a definition is given of time-stamping systems applicable in 
legal situations. Later the approach will be justified and compared to older systems. 

A time-stamping system consists of a set of principals with the time- 
5 stamping server (TSS) together with a triple (S, V, A) of protocols. The stamping 
protocol S allows each participant to post a message. The verification protocol V is 
used by a principal having two time-stamps to verify the temporal order between 
those time-stamps. The audit protocol A is used by a principal to verify whether the 
TSS carries out his duties. Additionally, no principal (in particular, TSS) should be 
1 0 able to produce fake time-stamps without being caught. 

A time-stamping system has to be able to handle time-stamps which are 
anonymous and do not reveal any information about the content of the stamped data. 
The TSS is not required to identify the initiators of time-stamping requests. 

The present notion of a time-stamping system differs from the one given in, 
15 e.g., [BdM91] in several important aspects. The differences are explained below. 

Relative Temporal Authentication: 

The main security objective of time-stamping is temporal authentication - 
ability to prove that a certain document has been created at a certain moment of 
time. Although the creation of a digital data item is an observable event in the 

20 physical world, the moment of its creation cannot be ascertained by observing the 
data itself. The best one can do is to check the relative temporal order of the created 
data items (i.e., prove the RTA) using one-way dependencies defining the arrow of 
time, analogous to the way in which the growth of entropy defines the arrow of time 
in the physical world. For example, if H is a collision-resistant one-way hash 

25 function, one can reliably use the following "rough" derivation rule: if H(X) and X 
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are known to. a principal P at a moment t, then someone (possibly P itself) used X to 
compute H(X) at a moment prior to t. Preferably, the system utilizes collision- 
resistant one-way hash functions. 

Definition 1 . A collision-resistant one-way hash function is a function H 
which has the properties of compression, ease of computation, preimage resistance, 
2nd-preimage resistance and collision resistance. 

Definition 2. Let p be a binary relation on N, such that x p y implies x < y 
and H to be a collision-resistant one-way hash function. A (p, H)-linking scheme is 
a procedure to link a family (HJ of data items together using auxiliary linking items 
L n satisfying the recursive formula 

L n : = H (Hn, L n 1, ... ,Ln (p _ l(n) ), 

where nl ^ ... z n^ J(n) are exactly the elements of p"'(n) := (m | m p n) (the preimage 
of n by p). A sequence (mj^, where m { p m i+1 is called a verifying chain between 
nij and m e with length £. 

In the context of time-stamping H n = H(n,XJ, where X„ denotes the n-th 
time-stamped document. The linking item L n is also referred to as a time-stamp of 
X^. Note that a one-way relationship between L n and L m (n < m) does not prove that 
in the moment of creating X„ the bit-string X^ did not exist, but we do know that X„ 
did exist at the moment of creating L m . 

We have omitted the t„ in the formula for H n , whereas it should not be taken 
for granted that the value t n indeed represents the submission time of X^. The only 
way for a principal to associate a time-stamp with a certain moment of time is to 
time-stamp a nonce at this moment. By a nonce we mean a sufficiently long random 
bit-string, such that the probability it has been already time-stamped is negligible. In 
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order to verify the absolute creating time of a document time-stamped by another 
principal, the verifier has to compare the time-stamp with the time stamps of nonces 
generated by the verifier herself. In this solution there are neither supplementary 
duties to the TSS nor to the principals. The use of nonces illustrates the similarity 
5 between time-stamping and ordinary authentication protocols, where nonces are 
used to prevent the possible reuse of old messages from previous communications. 

By using RTA it is possible to determine not only the submitting time of the 
signature but also the time of signing the document. Before signing a document X 

10 the principal P generates a nonce N and time-stamps it- He then includes the time- 
stamp L(N) of N to the document, signs it and obtains the time-stamp L(o) of the 
signature o=sigp (L(N), X), From the view-point of the TSS these stamping events 
are identical (he need not be aware whether he is time-stamping a nonce or 
meaningful data). For the verification of the document X, the verifier has to 

15 compare both these time-stamps with the time-stamps trusted by her. As there are 
one-way dependencies between L(N), a and L(o) the verifier may conclude that the 
signature was created in the time- frame between the moments of issuance of L(N) 
and of L(o) respectively. If these moments are close enough, the signing time can 
be ascertained with necessary precision. 

20 3.2 Detection of Forgeries 

A time-stamping system must have properties enabling users to verify 
whether an arbitrary time-stamp is correct or not. Possession of two documents with 
corresponding time-stamps is not enough to prove the RTA between the documents 
because everyone is able to produce fake chains of time-stamps. 

25 A time-stamping system should allow the user (1) to determine whether the 

time-stamps possessed by an individual have been tampered with; and (2) in the case 
of tampering, to determine whether the time- stamps were tampered with by the TSS 
or tampered after the issuing (generally by unknown means). In the second case, 
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there is no one to bring an action against. The principals interested in legal use of 
time-stamps should themselves verify their correctness immediately after the issuing 
(using signatures and other techniques discussed later) because if the signature of the 
TSS becomes unreliable, the signed time-stamps cannot be used as evidence. In 
order to increase the trustworthiness of the time-stamping services it should be 
possible for the clients to periodically inspect the TSS. Also, in the case when the 
TSS is not guilty he should have a mechanism to prove his innocence, i.e., that he 
has not issued a certain time-stamp during a certain round. 

Additionally, the TSS must publish regularly, in an authenticated manner, the 
time-stamps for rounds [BdM91] in mass media. If the time- stamping protocol 
includes (by using collision-resistant one-way hash functions) (1) the message digest 
of any time-stamp issued during the r-th round, into the time-stamp for r-th round, 
and (2) the message digest of the time-stamp for round r - 1 into any time-stamp 
issued during the r-th round, it will be difficult for anyone to forge a time-stamp 
without detection. The forgery detection procedures should be simple. Forgeries 
should be determinable either during the stamping protocol (when the time-stamp, 
signed by the TSS, fails to be correct) or later when it is unable to establish the 
temporal order between two otherwise correct time-stamps. 

3 . 3 Feasibility Requirements 

The time-stamping systems of [BdM91] and [HS97] use nonlinear partial 
ordering of time-stamps and therefore do not support RTA. A later discussion 
shows how to modify the linear linking scheme [HS91] to fulfill the security 
objectives (RTA and detection of forgeries). On the other hand, in practice, in this 
scheme the detection of forgeries would take too many steps. It is easy to forge 
time-stamps assuming that the verifier has limited computational power. This leads 
to the question of feasibility. In order to make RTA feasible in the case when time- 
stamps belong to different rounds, it is reasonable to define an additional layer of 
links between the time-stamps for rounds. 
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Definition 3. Assume (p,H) and (6,H) linking schemes and a monotonically 
increasing function £: N-N. By a (p,£, 6, H)-linking scheme is meant to be a 
procedure for linking a family (HJ of data items together using auxiliary linking 
items L n and SE r satisfying the recursive formulas shown in Table I. 

5 The values ££ r are also referred to as the time-stamps for rounds. Note that 

the time-stamps requested from the TSS during the verification protocol should 
belong to the set of time-stamps for rounds because only these time-stamps are 
available in the time-stamping server. 

Definition 4. A (P s £,5 5 H)-linking scheme is said to be an Accumulated 
1 0 Linking Scheme (ALS) with rank m, if 

1. If?(r)<n^Ur+l)thenp 1 (n)CK(r+l)^ (r+l)]U£(N). 

2. £(r+l)-5(r)*m. 

A (p, H)-linking scheme enables accumulated time-stamping if for arbitrary 
15 positive m there exists such that the (p, p, H)-scheme is an ALS with rank m. 

If the linking scheme used enables accumulated time-stamping, the duration 
of the rounds can be flexibly enlarged in order to guarantee that only a negligible 
fraction of the time-stamps are kept in the memory of the time-stamping server. 

20 Let n be the total number of time-stamps issued till the moment of the 

current run of stamping/verification protocol. The feasibility requirements can be 
summarized with the following: 

1. The number of the evaluations of the hash function during the verification 
protocol should be 0(log n). In particular, the number of time-stamps examined 

25 during a single run of the verification protocol should be 0(log n); 

2. There should be a conveniently small upper bound to the length of 
rounds, whereas the clients want to get their time-stamps in reasonable time. It 
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seems to be sensible to require that the stamping protocol of the n-th document must 
terminate before the TSS has received additional 0(log n) time-stamp requests. In 
real applications it is desirable for the average length of rounds to be constant (this 
would guarantee that for an arbitrary constant c there would be a negligible fraction 
5 of rounds with length greater then c). 

3. The size of an individual time-stamp should be small. 

There is a trade-off between these quantities. Later there is presented an 
improvement of the scheme above. 

First Version of The System: Linear Linking 
10 For pedagogical reasons, the protocols and the basic organizational principles 

of the system using the linear linking scheme are outlined below. This scheme 
fulfills all the trust requirements but is impractical. Further, the described scheme is 
significantly improved by replacing the linear scheme with a binary linking scheme. 

15 Let the number M of time-stamps per round be a constant known to the 

participants (clients) and all the data items X„ be of fixed size. Therefore, in the case 
of the linear linking scheme, the time-stamp for the r-th round has a number £ r = M - 
r. 

Role of the TSS: 
20 The TSS maintains the following three databases: 

L the database Dc of the time-stamps of the current round. 

2. the database Dp of the time-stamps of the previous round. 

3. the database Dr of the time- stamps for rounds. 

These databases are considered to be on-line in the sense that any client can 
25 make requests into them at any moment. The fourth database (the complete data- 
base of time-stamps) is also stored but not on-line (it may be stored into an archive 
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of CDs). Requests to this database are possible, but costly (e.g., requiring human 
interaction). After the end of each round, the time-stamps in D p are stored to a 
separate CD (this procedure may be audited). Thereafter Dp is emptied. The time- 
stamp Rr for the current round is computed, added to Dr and published in a 
newspaper or similar publication (two processes which should be audited). The 
database Dc is copied into Dp and a new database Dc is created. 

Stamping Protocol: 

Suppose, the current round number is r. 

1 . Client sends X„ to the TSS. 

2. The TSS finds H n =K(^Xj and ^(H^.,), and adds the pair (H^LJ to 

Dc. 

3. The TSS signs the pair (n, L n ) and sends (n, L n , Sig TSS (n,L n )) back to the 

client. 

4. The TSS sends the tuple head(n) = (H^,, fi^, , H 4rH + 1) to the client. 

5. The client verifies the signature of TSS and checks whether 

H^H^, 5 H(H^ + 1,L^) )) = L n 

where the true values L^ r can be found either from the newspaper or by requesting 
for their values from the on-line database D r of the TSS. 

After the M requests have been answered the TSS finishes the round by 
finding L £r = H (H^ r ,L eM )(where K\ =(H^,L £r .,)) and publishing L er and his public 
key K TSS in the newspaper or the like. The client may now continue, during a 
limited period, the protocol in order to get the complete individual time-stamp for 

6. The client sends a request to the TSS. 

7. Let tail (n) = (H^ M , H^_ 2 , H^H^,). The TSS answers by sending (tail 
(n), sig TSS (tail (n))) to the client. 

8. The client checks whether 

L^ r = H <H 4M , H (H^, H (H^ , H (H a+1 , L n ))...)) 
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Definition 5. The complete individual time-stamp s n for the n-th document is 
SnrKtaiKnXhead^^^sigTssCn.LJ). 

Every client who is interested in the legal use of a time-stamp, should 
validate it during the stamping protocol. In a relatively short period between the 1st 
and the 3rd step and between the 4th and 6th step, the signature key of TSS is trusted 
to authenticate him and therefore, his signature on an invalid head (n) or tail (n) can 
be used as an evidence in the court. But the client is responsible for doing it when 
the signature key of TSS can still be trusted. Later, the signature of TSS may 
become unreliable and therefore only the one-way properties can be used. 

Verification Protocol: 

Let r (n) denote the round where s n was issued. Assume, the verifier has two 
time-stamped documents (X m ,s m ) and (X^sJ where m < n. 

1. The verifier checks the validity of the equations (2) and (3) for both time- 
stamps. 

2. If r (m) = r (n) then the data held in tail (m) and head (n) will be enough to 
check whether 

L n = H(H n3 H(H n . |3 HOI^LJ )). 

3. If r (m) < r (n) } the verifier sends a request to the TSS. 

4. The TSS answers by sending the tuple 

V mn = (K\ T (n) - 1, U\ r (n) - 2, , (m)) 

and the signature sig-^g (V mn )to the verifier. 

. 5. The verifier validates the signature, finds L er<m) using (3), finds L r (n) -1 
using the formula 

L i<n)-i = H (H\ t(n) _ l9 H (H^ r(m) , L Wm) )...)). 
and finally, compares the value of L n in s n with the value given by (2). 

Audit Protocol: 

Because of the possible legal importance of the time-stamps issued by the 
TSS,.there should be some mechanism to audit the TSS. One easy way to do it is to 
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periodically ask for time-stamps from the TSS and verify them. If these time-stamps 
are linked inconsistently (i.e., Eq. (2) and (3) hold for both time-stamps but the 
verification protocol fails), the TSS can be proven to be guilty. Also, there has to be 
a mechanism for the TSS to prove that he has not issued a certain time-stamp S in a 
5 certain round r. This can be done if the TSS presents all the time-stamps issued 
using the r-th round, and the time-stamp, found by using these time-stamps and the 
linking rules, coincides with the published time-stamp. 

Above an outline is presented of a time-stamping system that fulfills trust 
10 requirements. Next is shown how to make this system feasible by using a BLS as 
shown in Fig. 4. 

In order to issue the individual time-stamp for the n-th document, the TSS 
has to find the shortest verifying chains between ^ n) ., and n and between N and £ Kn) . 
15 The n-th individual time-stamp consists of the minimal amount of data necessary to 
verify the mutual one-way dependencies between all Lj which lay on these chains. It 
can be shown that if f satisfies the implication 



20 



25 



m > n - (f (m) s f (n) V f (m) ^ n) 

then (f,H) enables accumulated time-stamping (the proof has been omitted 
because of its technicality.) In particular, the binary linking scheme described in 
enables accumulated time-stamping. For a fixed m let k := [log 2 m], £ 0 := 0, £, := 2 k 
1 (the source of T k ) and for arbitrary i > 1, 



£ 2 J "+S, 2 j ,ifi*2 j 
2-Zn+l, if i=2\ 

where j := [log 2 i]. The length of the n-th time-stamp in this scheme does not exceed 
30 2 -3 • log(n)- x bits, where x is the output size of the hash function H. 
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The maximum length of rounds grows proportionally to 0(log n). However, 
the average length of rounds is constant and therefore it is practical to publish the 
time-stamps for rounds after constant units of time. This can be achieved easily with 
the following procedure. If the "deadline" for a round is approaching and there are 
still q time-stamps not issued yet, assign random values to the remaining data items 
H„. 

Remark 1 . Denote by ord n the greatest power of 2 dividing n. In the ALS 
presented above, it is reasonable to label time-stamps in the lexicographical order 
with pairs (n, p), where 0<; p z ord n and n > 0. Then, 

(0,p) n=2 p 

f(n,p):={ 

(n-2 p ,ord(n-2 p )), otherwise 

and g(n, p) := (n,p-l) if p > 0 and g(n, 0):= (n - 1, ord (n-1)). Also, the formulas of ^ 
will simplify. In this case, £(i) := {2^ x i, k - 1 + ord i), for i ^ 1. 

It is easy to show that for each n and m the shortest verifying chain between 
n and m is uniquely defined. The data u mn necessary to verify the one-way 
dependence is computed by the procedure TSData(m, n) as shown in Table II and 
illustrated in Fig. 5. 

Let (f, H) be a BLS satisfying the implication (4). Let x < y < z < w and C„ 
C 2 be verifying chains from z to x and w to y respectively. It is obvious that C, and 
C 2 have a common element. Thus, if m < n then the verifying chains tail (m) and 
head (n) have a common element c which implies the existence of a verifying chain. 

(m = n c , n„ , n i . l9 r\ = C, n i+I ,... s n i . ,,n c = n) 
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This chain can be found by a simple algorithm and is of logarithmic length. 
Let (m) denote the round into which m belongs. The proof of the last claim for the 
case r (m) = r (n) is given below under the heading proof of Theorem 1 . If m and n 
belong to different rounds, the verifying is straightforward, because of the similar 
5 structure of the second layer of links, the verifying chain from n to m is of the form 

(m, ...,m\£ r(m) ,n',...,n). 

where the number of £/ B is logarithmic due to the fact that the time-stamps for 
rounds are linked together in a way similar to the linking of all time-stamps (Fig. 2). 
The length of the sequences (m,....m') and (n\ , n) is also logarithmic. 

10 Example 2. For the chains given in Example 1, the common element is 7 and 

the verifying chain between 4 and 10 is (4, 5, 6, 7 5 10). 

Corollary 1. Due to the similarity between the verification and the stamping 
procedure, for an arbitrary pair of time-stamped documents the number of steps 
executed (and therefore, also the number of time-stamps examined) during a single 
15 run of the verification protocol is 0(log n). 

Optimality: 

Our solution meets asymptotically the feasibility requirements, but could 
these requirements be refined? Mostly not, an insight into this is given below. 
Namely, we show that for any linking scheme there does not exist a time-stamping 
20 solution where (1) the length of the time-stamps is O (log n), (2) for any m and n 
there exists a verifying chain between m and n with the length O (log n) that is 
completely contained in the union S(m) U S(n) of the corresponding individual time- 
stamps and (3) the stamping protocol will end in a logarithmic time. 
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We prove this under the assumptions (1) that an individual time-stamp is a 
subset of N and (2) that the size of a time-stamp is proportional to the size of ||S(n)|| 
+lp' l (S(n)||==0(||p' 1 (S(n)||) (holds if the transitive closure p n of p coincides with the 
natural order <, i.e., the time stamp S(n) consists of tail (n) and head (n))). 

5 Theorem 2. Let p be a binary relation on N satisfying P" = < There does not 

exist a function S: ||N - 2 ,N such that 

1. Ip' 1 (S(n))|<c, log n for some c,, for any n; also see Table IV- A and IV-B. 

2. For every m and n there exists a p-chain(m=m I ^n 2 ,...,m k =n) where 
m i =S(m)uS(n) (that is, the number of stamps to examine during the verification 

10 protocol is greater than 2). 

3. For any n, max (S(n)) - n < c 2 log n for some constant c 2 as shown in 
Table III. 

The Theorem 2 can be straightforwardly generalized to claim that the number 
of examined time-stamps must be greater than any fixed constant. 

1 5 Proof of Theorem 1 : 

We will prove an upper bound for the length of the verifying chain for the 
linking scheme described elsewhere. Let e k = 2 k - 1 , i.e. e k is the number of the last 
vertex of T k . To simplify the proof we add the vertex 0 to the scheme and link it 
with all the vertices that have less than two outgoing links. These are exactly the 

20 vertices e K . Let L(a, b) denote the length of the shortest path between a and b. The 
equations L (O, ej = 1, L (ek., , ek) = 2 and e k . 1 = e^, + 1 follow immediately from 
the definition. 
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Binary Linking Scheme: 

In the current section we give a construction of a practical linking scheme 
with logarithmic upper bound to the length of the shortest verifying chain between 
any two time-stamps. 

5 Definition 6. Let f and g be functions from N to N satisfying the condition 

f(n)<sg(n)<n for any n. A(f,g,h) binary linking scheme (BLS) is a (p,H) linking 
scheme where for any n, p -I (n) [=(f(n), g(n)). In order to guarantee the existence of a 
verifying chain between arbitrary x and y, we have to take g^r^n-l . In these cases 
we omit n-1 and talk about an (f,H)-BLS. 

10 A binary linking scheme can alternatively be defined as a directed countable 

graph which is connected, contains no cycles and where all the vertices have two 
outgoing edges (links). Let us construct an infinite family of such graphs Tk in the 
following way: 

L Tl consists of a single vertex which is labeled with the number 1 . This 
15 vertex is both the source and the sink of the graph Tl 

2. Let Tk be already constructed. Its sink is labeled by 2 k -l . The graph 
Tk+1 consists of two copies of Tk, where the sink of the second copy is linked to the 
source of the first copy, and an additional vertex labeled by 2 k+I -l which is linked to 
the source of the second copy. Labels of the second copy are increased by 2 k -l. The 
20 sink of Tk+1 is equal to the sink oft the first copy, the source of Tk+1 is equal to the 
vertex labeled by 2 k+1 - 1. 

Thereafter, link all the vertices of the second copy which have less than two 
outgoing links to the source of the first copy. Note that there is now a double link 
25 from the sink of the second copy to the source of the first copy as shown in Fig. 3. 
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The sequence (Tk) defines a binary linking scheme, add links from the 
sources of any such initial segment to a special vertex labeled by 0 (Fig. 2). Here 
(see also Rem. 1), f(n)=n-2 h(n) +l, where h(n) is given recursively by the equation 
below and as illustrated in Fig. 4. 

k, ifn=2 k -l, 

h(n)={ 

/Kn+l-2 k ' 1} if2 k - | sn<2 k -l. 

Theorem 1. Let l(a,b) be the length of the shortest verifying chain from b to 
a. Ifk>2 and 0<a<;b<2 k then l(a,b)<;3k-5. 

Theoretical and practical considerations of the present invention are: 

1) the importance of trust of the TSS in time stamping is significantly 
reduced, and 

2) time complexity of Relative Temporal Authentication (RTA) becomes 
logarithmic with the number of issued time stamps. 

An embodiment of the present invention comprises a method of time 
stamping a digital document using binary linking. A catenate certificate L n is 
generated by applying a one-way hash function H to a concatenation of the value of 
the catenate certificate L n .j and the value of a suitably chosen catenate certificate 
L^ n) , where f is a fixed deterministic function, such as: 

The time t n has been omitted. It should not be taken for granted that the 
value t n actually represents the submission time of document X„. With choosing the 
function f appropriately it is possible to verify a one-way relationship between two 
time certificates with a number of computational steps proportional to the logarithm 
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of the number of time stamped documents that are to be reviewed. A function f of 
the invention, which was presented at [BLLV98], guarantees logarithmic 
computational steps in a signature verification. 

In an embodiment of the binary linking system of the invention, a linking 
5 function f, which satisfies an anti-monotonic property such as f(m)<n<m, which 
implies f(n)>f(m) or f(n)=f(m), is sufficient for the existence of a series n(l),...,n(k). 
The indices are such that for each k the time certificate L n(k) is generated exclusively 
with values of Lj, where n(k-l)<j<n(k), and of L n(j) with j<k. Treating intervals 
between the issuance of different L n(k) as "rounds", the anti-monotonic property 
10 insures that the time stamp for a round is not linked directly to the inner time stamps 
of other rounds. 

In another embodiment of the invention, the moment of signing, not just the 
moment of submitting, is certified. Before signing a document X a principal P 
generates nonce N and time stamps it. A nonce is a long random bit string, with an 
arbitrary length judged sufficient to reduce the probability of a conflict with another 
time stamp to insignificance. The time stamp L(N) of N is then included in the 
document, the document signed, and a time stamp certification L(S) of the signature 
S=D P (L(N),X) results. From the standpoint of the TSS, the time stamping events are 
identical; that is, the TSS does not know or need to know whether the time stamping 
is for a nonce or for meaningful data. For the verification of the document X, the 
verifier compares both time stamps with other time stamps trusted by the verifier; 
which may be nonces developed for this purpose. 

Since the dependencies between L(N), S, and L(S) are one-way, the verifier 
can conclude that the signature was created in the time frame between the moments 
25 of issuance of L(N) and of L(S), respectively. If these moments are close enough in 
time, the signing time can be ascertained with precision. In this embodiment there 
are no supplementary duties for the TSS or other principals. 
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In yet another embodiment, limited reliance on the TSS allows for a 
simplified system: 

1) the client sends a data item X to the TSS to be time stamped, 

2) the TSS responds immediately with the current L n and the necessary data 
5 for verifying the one-way dependency between L n and the time stamp for the 

previous round, signs to create an L n , and sends the signature D TSS (n,L n ) to the client, 
and 

3) if the round is over, the client may apply to the TSS for the data necessary 
to verify a one-way relationship between Ln and the time stamp for the round. 

10 The above embodiment thereby reduces the need for trusting the TSS in 

maintaining the temporal order of time stamped documents by preventing the TSS 
from having an opportunity to rearrange the documents. 
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It will be seen that by providing time stamp verification which is 
independent, or at least, relatively independent, of the TSS or third parties, the 
integrity of the signature is significantly improved. 
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We irtn pro*« ma upper bound for the length of the verifying chain foe the Unking 
•cheme described in Sect* 6. Let «= 2* - 1, Le. c* is the number of the Utt 
T«ctex of 7*. lb eimplify the proof we add the Yertex 0 to the acbecne and link 
it with «I1 the Yertioe* that have lees than two outgoing links. Time are exactly 
the verticee 6*. Let f (a, b) denote the length of the <bort<Kt path between a and 
6. The equation* £(0,6*) = X, i(ct-i,c k ) — 2 and e* - c*_i ~ e*-i + 1 follow 
Immediately from the definition. 

r^rmni 1. JfO<a<e* <b thcnlfab) «=/(a f ejb) + f(** f A). //c A _i < a < e* 
then «(a,e*) ~ *(a,e* - 1) +/(e* - l,e*). 

The riafmi abore follow ixnxnedijjUly from the ftructurij propertiai of the HnVrng 
echemc 

Lemma 2- //e*_i < a < 6 < e± tfcen /(a,i) = f(a — e*_i, 6 — e*-i). 

Proo/ Thie follows from the conecructioo of Tt from the two oopiee of 
Here a and & are vertices In the aecond copy of T*-i (or the last vertex of the 
first copy), and a — and 6 — tt-i are the aame rercicoe in the fim copy of 
T h -i (or the vertex 0). □ 

Lemma 3. #0 £ a < c k then f(0 f a) < *. 
Proof. In d uction oo 

f?a*cr Jk = L Then * = 0 and £(0»a) = 0<Jt. 
.Step/ fc > I. Observe the following caaee: 

- If 0 < a < cft-i then the induction astumption give* £(Q, o) < it — 1 < Jt. 

- If e,_ t <*<c* then £{Q,a) = 40,et~i) -h/(e*-i,a) - 1 + f(0,a - eV-i) 
by Lemma 2. Obeerve the following caaes : 
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• a < -e, ~ 1. Then <(0, a) ^ 1 + f(0,a - e*-,) < X + (fc - 1) xT* by 
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Lemma 4, Jj q < a < ej> /( 0 ,e fc ) < 2(fc - J), 
froo/. Induction on k. 

B+*m: k - L n«n a * 1 and i(a,c k ) « 0 «= 0 « 2(* - 1). 
A*?.- * > 1. Obeerre the falknrfn« cud: 

— If 0 < a < «*_, tbaa^Kc*) ~ /(a,c*. x ) + /(e*-j . «*) < 2(i - 2) + 2 « 
2(fc — 1) by Induction sMumpekm, 

— If <*-i < o 4* then obienm the following cam*: 

• ««= e*. Tim *(«,e*) = 0 < 2(fc - 1). 

• o < c*. Tbca /(a, eft) = /foea - 1) + -!.«•) = t{*~ C4-i.e^_i) + 
1 by the Tiwmtt 2. Induction m uniti on now g^rtst £(0,04) «c i(a — 
«*-x . e*-i) + 1 < 2(k - 3) + 1< 2<fc - 1). 

a 

/V«o/ fTSnonrm /J.- Inducttan on A. 

&ue: k-zl.Jn thfa cave one can dirocgy verify th*t *(«,6) < 4. 
Step: k > 3. Observe tba following CMet: 

— IfO<a<fc<; e A _ t Chen the inductfoo assumption gives us £(«, i) < 
3(*-l)-5 <3*-S. 

— If 0 < a < e 4 _i < t < e k then e*(a, b) - e*(a,e^,) + £(e*_, ,6) £ 2flfc - 2) + 
/(c*_i,6) by tb« Lemma. 4. The following caaes ore possible: 

« * « e* - 1. Then l(e*-i, 6) - 1< k - 1. 

• * < c* — 1. Thee the lemmaa 2 and 3 give 
*(<U-i,b) =rZ(0,6- efc-j) < k - 1. 

Thw *{«, *) < 2(± - 2) + * _ 1 = 3^ _ 6. 

— H c*_i ce<6<c 4 then obaorre the following cum: 

Then *(a, 6) * £(0, e A ) < 2(* - 1)< 3k - 6 by Lemma 4. 

• 6 < e«. Then *(a,ft) «= £(0 - e*-i,6- <u_ t ) $ S(k - 1) + « < SJfc - « by 
Lemma, 2 and inductkxi assumption. 

Q 

A* 0°***1 « * iff ««_, +l<6<e* + lwjet*< flogb) -f I and thus 
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Claims 

1 . A digital signature certification system comprising: 
creating a nonce; 

time stamping said nonce to create a time stamped nonce uniquely 
identifying said time stamp; 

attaching said time stamped nonce to a document; 
attaching a digital signature to said document with said nonce; 
time stamping said document and the signature; whereby 
uniquely represents said signature on said document. 

2. The system of claim 1 wherein said nonce is a random bit string having a 
length such that the probability of an identical nonce is insignificant. 

3. The system of claim 2 wherein reliance on a Time Stamping Service (TSS) 
for verification of a signature is reduced or eliminated. 

4. The system of claim 1 wherein reliance on RTA directly with other 
signatures is reduced or eliminated. 

5. The system of Claim 1 wherein said nonce is used as a time-related standard 
for RTA. 

6. A digital signature certification system comprising: 
creating a nonce; 

time stamping said nonce to create a time stamped nonce uniquely 
identifying said time stamp; 

attaching said time stamped nonce to a document; 

attaching a digital signature to said document; 

time stamping said document and the signature; whereby 
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the nonce stamp uniquely represents said signature on said document; 
creating said time stamped nonce entries as a binary database; 
linking said binary database to a verifiable RTA source; whereby 
said RTA source is a verifiable point for all said time stamped nonce entries 
5 within a time frame associated with said RTA. 

7. The system of claim 6 wherein said nonce is a random bit string having a 
length such that the probability of an identical nonce is insignificant. 

8. The system of claim 7 wherein reliance on a Time Stamping Service (TSS) 
for verification of a signature is reduced or eliminated. 

10 9. The system of claim 6 wherein reliance on RTA directly with other 
signatures is reduced or eliminated. 

10. A digital signature certification system comprising: 
creating a nonce means; 

relating said nonce means to some time standard uniquely identifying said 

15 nonce; 

attaching said nonce means to a document; 

attaching a digital signature to said document and to said nonce means; 

relating said document to said nonce means; whereby 

said nonce means uniquely identifies said signature on said document; 

20 11. The system of claim 1 0, comprising: 

creating said nonce means as a database means; 
linking said database means to a verifiable time; whereby 
said verifiable time thereby verifying signatures associated with said nonce 
means within a time frame associated with saicl verifiable time. 
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12. The system of claim 10 wherein said nonce means is a data means having 
characteristics such that the probability of an identical nonce means is insignificant. 

13. The system of claim 10 wherein reliance on commercial verification services 
for verification of a signature is reduced or eliminated. 

14. The system of claim 1 1 wherein reliance on time services for verification of 
signatures is reduced or eliminated. 

15. A method of time-stamping a digital document using a binary linking scheme 
where the value of the catenate certificate L n is generated by applying a one-way 
hash function H to a catenation comprising the value of the catenate certificate 

and the value of another suitably chosen catenate certificate L an) , with f being a fixed 
deterministic function algorithm, 

16. A method as claimed in claim 15 including verifying a one-way relationship 
between two time-certificates with a number of computational steps proportional to 
the logarithm of the number of time-stamped documents. 

17. A method of digital time-stamping wherein: 

each document X is given a time-certificate t(X) of reasonable length that 
uniquely defines the relative position of X inside the protocol-round it is 
time-stamped, and thereafter. 

given two documents X and Y and certificates t(X) and t(Y) a verifier is able 
to establish a one-way relationship between the corresponding time stamps. 
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18. A time-stamping procedure using a binary linking scheme, comprising: 
a client sends to a TSS a data item X to be time-stamped; 

the TSS answers immediately by sending then current L n and necessary data 
for verifying a one-way dependency between L n and a time-stamp, 
5 the TSS further signs L n and sends a signed receipt D {TSS} (n, L n ) to the client 

and, upon completion of a round, 

the client obtains the time-certificates. 

19. A method of determining a time of signing a document comprising: 
generating a nonce N and time-stamping the document with time-stamp 

10 L(N), 

signing the document, 

generating the time-stamp L(a) of the signature o = segp (L(N), X), and 
verifying the document by comparing time of issuance of L(N) and L(o). 

20. A method as claimed in claim 19 wherein the time-stamp L(N) and L(a) 

15 includes collision-resistant one way hash functions to prevent forgery of any of said 
time-stamps. 
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